Re: [users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?

2022-03-10 Thread Jeroen Verhoeckx
@Yehuda Katz: what do you think of my e-mail/comment below?

--- Original Message ---
On Tuesday, March 1st, 2022 at 8:11 PM, Jeroen Verhoeckx 
 wrote:

>> Please keep your replies on the mailing list so that everyone can benefit 
>> from the discussion.
>
> Oh, sorry, I probably click on Reply and not Reply All! Will keep an eye on 
> that in the future!
>
> I'm worried that the version of Apache released by The Apache Software 
> Foundation is less safe because of the warnings [on this page of Red 
> Hat](https://access.redhat.com/solutions/445713):
> https://access.redhat.com/solutions/445713
>
> "Note that the versions of Apache HTTP Server included in the above products 
> are in most cases vastly different from the upstream community releases of 
> the same version
> This is explained by Red Hat's Security Backporting Policy and is the most 
> common cause of admins/auditors trying to get a newer version of Apache
> For example: EWS 2.1.0 & EAP 6.4.0 include Apache httpd based on upstream 
> v2.2.26; however, they also include multiple CVE security fixes which are not 
> in the original community release of Apache httpd 2.2.266
> Community releases of Apache httpd are NOT supported"
>
> What do you think of this?
>
> - Jeroen
>
> 
> Support the independent web, use 
> [Firefox](https://www.mozilla.org/en-US/firefox/new/)

> --- Original Message ---
> On Tuesday, March 1st, 2022 at 5:27 PM, Yehuda Katz  wrote:
>
>> Please keep your replies on the mailing list so that everyone can benefit 
>> from the discussion.
>>
>> What is your "threat model" in which this way is less safe?
>>
>> For example: Are you worried that the packaged version from someone else has 
>> been modified with a backdoor? Are you worried that you would not be able to 
>> get RPMs for new versions in a timely fashion when a security issue is 
>> announced?
>>
>> There are different ways to address different concerns, but if you are more 
>> specific, we can make sure you get the best answer.
>>
>> - Y
>>
>> Sent from a device with a very small keyboard and hyperactive autocorrect.
>>
>> On Tue, Mar 1, 2022, 11:18 AM Jeroen Verhoeckx  
>> wrote:
>>
 Since you don't have paid support from RedHat, there is absolutely no 
 reason to not install your own version of httpd.
>>>
>>> I don't mind doing that but I'm afraid it's less safe?
>>>
>>> Thanks for thinking along!
>>>
>>> Jeroen Verhoeckx
>>>
>>> 
>>> Support the independent web, use 
>>> [Firefox](https://www.mozilla.org/en-US/firefox/new/)
>>>
>>> --- Original Message ---
>>> On Thursday, February 24th, 2022 at 10:41 PM, Yehuda Katz 
>>>  wrote:
>>>
 In terms of getting a RedHat eningeer, it looks like you have done all you 
 can do. There are RedHat developers on this list and on the RedHat forums 
 and they also look at Bugzilla, so there probably isn't much more you can 
 do.

 Since you don't have paid support from RedHat, there is absolutely no 
 reason to not install your own version of httpd.

 - Y

 On Thu, Feb 24, 2022 at 9:37 AM Jeroen Verhoeckx 
  wrote:

> Hello Yehuda,
>
> First: sorry for my very late reply!
>
>> You mention in the bug report that you are running an old version of 
>> HTTPD because you are using the version packaged by RedHat.
>> Your bug report asks RedHat to backport the specific fixes for your 
>> issue.
>
> Yes, that's a really good summary of what I try to achieve!
>
> About the two options:
>
> - I have the 'Red Hat Developer Subscription for Individuals' and thus 
> I'm not entitled to get any official support.
> - Red Hat strongly discourages the installation of a different version of 
> Apache  (https://access.redhat.com/solutions/445713) .
>
> I asked the same question on Red Hat Community portal 
> (https://access.redhat.com/discussions/6756211) but so far I didn't get 
> any reaction.
>
> Does someone know where the Apache developers of Red Hat hang out?
>
> Jeroen Verhoeckx
>
> 
> Support the independent web, use 
> [Firefox](https://www.mozilla.org/en-US/firefox/new/)
>
> --- Original Message ---
> On Friday, February 18th, 2022 at 8:38 PM, Yehuda Katz 
>  wrote:
>
>> I see two options for you going forward:
>> 1. Contacting RedHat: You need a subscription to do this. Posting to the 
>> upstream HTTPD mailing list probably won't help.
>>
>> 2. Use a different package: There are newer rpms available if you don't 
>> want to build your own. You can look at rpmfind or build the rpm 
>> yourself (https://httpd.apache.org/docs/2.4/platform/rpm.html)
>>
>> - Y
>>
>> On Fri, Feb 18, 2022 at 1:02 PM Jeroen 

Re: [users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?

2022-03-01 Thread Jeroen Verhoeckx
> Please keep your replies on the mailing list so that everyone can benefit 
> from the discussion.

Oh, sorry, I probably click on Reply and not Reply All! Will keep an eye on 
that in the future!

I'm worried that the version of Apache released by The Apache Software 
Foundation is less safe because of the warnings [on this page of Red 
Hat](https://access.redhat.com/solutions/445713):
https://access.redhat.com/solutions/445713

"Note that the versions of Apache HTTP Server included in the above products 
are in most cases vastly different from the upstream community releases of the 
same version
This is explained by Red Hat's Security Backporting Policy and is the most 
common cause of admins/auditors trying to get a newer version of Apache
For example: EWS 2.1.0 & EAP 6.4.0 include Apache httpd based on upstream 
v2.2.26; however, they also include multiple CVE security fixes which are not 
in the original community release of Apache httpd 2.2.266
Community releases of Apache httpd are NOT supported"

What do you think of this?

- Jeroen


Support the independent web, use 
[Firefox](https://www.mozilla.org/en-US/firefox/new/)

--- Original Message ---
On Tuesday, March 1st, 2022 at 5:27 PM, Yehuda Katz  wrote:

> Please keep your replies on the mailing list so that everyone can benefit 
> from the discussion.
>
> What is your "threat model" in which this way is less safe?
>
> For example: Are you worried that the packaged version from someone else has 
> been modified with a backdoor? Are you worried that you would not be able to 
> get RPMs for new versions in a timely fashion when a security issue is 
> announced?
>
> There are different ways to address different concerns, but if you are more 
> specific, we can make sure you get the best answer.
>
> - Y
>
> Sent from a device with a very small keyboard and hyperactive autocorrect.
>
> On Tue, Mar 1, 2022, 11:18 AM Jeroen Verhoeckx  
> wrote:
>
>>> Since you don't have paid support from RedHat, there is absolutely no 
>>> reason to not install your own version of httpd.
>>
>> I don't mind doing that but I'm afraid it's less safe?
>>
>> Thanks for thinking along!
>>
>> Jeroen Verhoeckx
>>
>> 
>> Support the independent web, use 
>> [Firefox](https://www.mozilla.org/en-US/firefox/new/)
>>
>> --- Original Message ---
>> On Thursday, February 24th, 2022 at 10:41 PM, Yehuda Katz 
>>  wrote:
>>
>>> In terms of getting a RedHat eningeer, it looks like you have done all you 
>>> can do. There are RedHat developers on this list and on the RedHat forums 
>>> and they also look at Bugzilla, so there probably isn't much more you can 
>>> do.
>>>
>>> Since you don't have paid support from RedHat, there is absolutely no 
>>> reason to not install your own version of httpd.
>>>
>>> - Y
>>>
>>> On Thu, Feb 24, 2022 at 9:37 AM Jeroen Verhoeckx 
>>>  wrote:
>>>
 Hello Yehuda,

 First: sorry for my very late reply!

> You mention in the bug report that you are running an old version of 
> HTTPD because you are using the version packaged by RedHat.
> Your bug report asks RedHat to backport the specific fixes for your issue.

 Yes, that's a really good summary of what I try to achieve!

 About the two options:

 - I have the 'Red Hat Developer Subscription for Individuals' and thus I'm 
 not entitled to get any official support.
 - Red Hat strongly discourages the installation of a different version of 
 Apache  (https://access.redhat.com/solutions/445713) .

 I asked the same question on Red Hat Community portal 
 (https://access.redhat.com/discussions/6756211) but so far I didn't get 
 any reaction.

 Does someone know where the Apache developers of Red Hat hang out?

 Jeroen Verhoeckx

 
 Support the independent web, use 
 [Firefox](https://www.mozilla.org/en-US/firefox/new/)

 --- Original Message ---
 On Friday, February 18th, 2022 at 8:38 PM, Yehuda Katz  
 wrote:

> I see two options for you going forward:
> 1. Contacting RedHat: You need a subscription to do this. Posting to the 
> upstream HTTPD mailing list probably won't help.
>
> 2. Use a different package: There are newer rpms available if you don't 
> want to build your own. You can look at rpmfind or build the rpm yourself 
> (https://httpd.apache.org/docs/2.4/platform/rpm.html)
>
> - Y
>
> On Fri, Feb 18, 2022 at 1:02 PM Jeroen Verhoeckx 
>  wrote:
>
>> Hello Apache Administrators,
>>
>> On 6 January I reported a possible bug of Apache on Red Hat's Bugzilla, 
>> but no one has responded since then.
>>
>> It's about this bug report:
>> https://bugzilla.redhat.com/show_bug.cgi?id=2037967
>>
>> Does 

Re: [users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?

2022-03-01 Thread Yehuda Katz
Please keep your replies on the mailing list so that everyone can benefit
from the discussion.

What is your "threat model" in which this way is less safe?

For example: Are you worried that the packaged version from someone else
has been modified with a backdoor? Are you worried that you would not be
able to get RPMs for new versions in a timely fashion when a security issue
is announced?

There are different ways to address different concerns, but if you are more
specific, we can make sure you get the best answer.

- Y

Sent from a device with a very small keyboard and hyperactive autocorrect.

On Tue, Mar 1, 2022, 11:18 AM Jeroen Verhoeckx 
wrote:

> > Since you don't have paid support from RedHat, there is absolutely no
> reason to not install your own version of httpd.
>
> I don't mind doing that but I'm afraid it's less safe?
>
>
> Thanks for thinking along!
>
> Jeroen Verhoeckx
>
>
>
> 
> *Support the independent web, use **Firefox*
> 
>
>
>
> --- Original Message ---
> On Thursday, February 24th, 2022 at 10:41 PM, Yehuda Katz <
> yeh...@ymkatz.net> wrote:
>
> In terms of getting a RedHat eningeer, it looks like you have done all you
> can do. There are RedHat developers on this list and on the RedHat forums
> and they also look at Bugzilla, so there probably isn't much more you can
> do.
>
> Since you don't have paid support from RedHat, there is absolutely no
> reason to not install your own version of httpd.
>
> - Y
>
> On Thu, Feb 24, 2022 at 9:37 AM Jeroen Verhoeckx <
> j.verhoe...@protonmail.com> wrote:
>
>> Hello Yehuda,
>>
>> First: sorry for my very late reply!
>>
>> > You mention in the bug report that you are running an old version of
>> HTTPD because you are using the version packaged by RedHat.
>> > Your bug report asks RedHat to backport the specific fixes for your
>> issue.
>>
>> Yes, that's a really good summary of what I try to achieve!
>>
>>
>> About the two options:
>>
>>
>>1. I have the 'Red Hat Developer Subscription for Individuals' and
>>thus I'm not entitled to get any official support.
>>2. Red Hat strongly discourages the installation of a different
>>version of Apache (https://access.redhat.com/solutions/445713) .
>>
>>
>>
>> I asked the same question on Red Hat Community portal (
>> https://access.redhat.com/discussions/6756211) but so far I didn't get
>> any reaction.
>>
>>
>> Does someone know where the Apache developers of Red Hat hang out?
>>
>>
>>
>> Jeroen Verhoeckx
>>
>>
>>
>> 
>> *Support the independent web, use **Firefox*
>> 
>>
>>
>>
>> --- Original Message ---
>> On Friday, February 18th, 2022 at 8:38 PM, Yehuda Katz 
>> wrote:
>>
>>
>> I see two options for you going forward:
>> 1. Contacting RedHat: You need a subscription to do this. Posting to the
>> upstream HTTPD mailing list probably won't help.
>>
>> 2. Use a different package: There are newer rpms available if you don't
>> want to build your own. You can look at rpmfind or build the rpm yourself (
>> https://httpd.apache.org/docs/2.4/platform/rpm.html)
>>
>> - Y
>>
>> On Fri, Feb 18, 2022 at 1:02 PM Jeroen Verhoeckx
>>  wrote:
>>
>>> Hello Apache Administrators,
>>>
>>> On 6 January I reported a possible bug of Apache on Red Hat's Bugzilla, but
>>> no one has responded since then.
>>>
>>> It's about this bug report:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=2037967
>>>
>>>
>>> Does someone have an idea about what I could do next?
>>> Does someone know I place where I can contact RHEL Apache
>>> developers/administrators?
>>> Or is there another friendly way to get attention for this bug report?
>>>
>>>
>>> Yours sincerely,
>>>
>>> Jeroen Verhoeckx
>>>
>>>
>>>
>>> 
>>> *Support the independent web, use **Firefox*
>>> 
>>>
>>>
>>>
>>
>


RE: [users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?

2022-02-24 Thread Marc
> 
> Since you don't have paid support from RedHat, there is absolutely no
> reason to not install your own version of httpd.
> 

I agree. The days of relying on a lts distribution are coming to an end. I have 
the impression that RedHat is not the place to be anymore. Moving packages from 
the lts to scl, now dropping centos etc. They seem not to be able to catch up 
with patching everything. I think the trend will be getting your crucial rpm's 
directly from the source.


Re: [users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?

2022-02-24 Thread Yehuda Katz
In terms of getting a RedHat eningeer, it looks like you have done all you
can do. There are RedHat developers on this list and on the RedHat forums
and they also look at Bugzilla, so there probably isn't much more you can
do.

Since you don't have paid support from RedHat, there is absolutely no
reason to not install your own version of httpd.

- Y

On Thu, Feb 24, 2022 at 9:37 AM Jeroen Verhoeckx 
wrote:

> Hello Yehuda,
>
> First: sorry for my very late reply!
>
> > You mention in the bug report that you are running an old version of
> HTTPD because you are using the version packaged by RedHat.
> > Your bug report asks RedHat to backport the specific fixes for your
> issue.
>
> Yes, that's a really good summary of what I try to achieve!
>
>
> About the two options:
>
>
>1. I have the 'Red Hat Developer Subscription for Individuals' and
>thus I'm not entitled to get any official support.
>2. Red Hat strongly discourages the installation of a different
>version of Apache (https://access.redhat.com/solutions/445713) .
>
>
>
> I asked the same question on Red Hat Community portal (
> https://access.redhat.com/discussions/6756211) but so far I didn't get
> any reaction.
>
>
> Does someone know where the Apache developers of Red Hat hang out?
>
>
>
> Jeroen Verhoeckx
>
>
>
> 
> *Support the independent web, use **Firefox*
> 
>
>
>
> --- Original Message ---
> On Friday, February 18th, 2022 at 8:38 PM, Yehuda Katz 
> wrote:
>
>
> I see two options for you going forward:
> 1. Contacting RedHat: You need a subscription to do this. Posting to the
> upstream HTTPD mailing list probably won't help.
>
> 2. Use a different package: There are newer rpms available if you don't
> want to build your own. You can look at rpmfind or build the rpm yourself (
> https://httpd.apache.org/docs/2.4/platform/rpm.html)
>
> - Y
>
> On Fri, Feb 18, 2022 at 1:02 PM Jeroen Verhoeckx
>  wrote:
>
>> Hello Apache Administrators,
>>
>> On 6 January I reported a possible bug of Apache on Red Hat's Bugzilla, but
>> no one has responded since then.
>>
>> It's about this bug report:
>> https://bugzilla.redhat.com/show_bug.cgi?id=2037967
>>
>>
>> Does someone have an idea about what I could do next?
>> Does someone know I place where I can contact RHEL Apache
>> developers/administrators?
>> Or is there another friendly way to get attention for this bug report?
>>
>>
>> Yours sincerely,
>>
>> Jeroen Verhoeckx
>>
>>
>>
>> 
>> *Support the independent web, use **Firefox*
>> 
>>
>>
>>
>


Re: [users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?

2022-02-18 Thread Yehuda Katz
You mention in the bug report that you are running an old version of HTTPD
because you are using the version packaged by RedHat.
Your bug report asks RedHat to backport the specific fixes for your issue.

I see two options for you going forward:
1. Contacting RedHat: You need a subscription to do this. Posting to the
upstream HTTPD mailing list probably won't help.

2. Use a different package: There are newer rpms available if you don't
want to build your own. You can look at rpmfind or build the rpm yourself (
https://httpd.apache.org/docs/2.4/platform/rpm.html)

- Y

On Fri, Feb 18, 2022 at 1:02 PM Jeroen Verhoeckx
 wrote:

> Hello Apache Administrators,
>
> On 6 January I reported a possible bug of Apache on Red Hat's Bugzilla, but
> no one has responded since then.
>
> It's about this bug report:
> https://bugzilla.redhat.com/show_bug.cgi?id=2037967
>
>
> Does someone have an idea about what I could do next?
> Does someone know I place where I can contact RHEL Apache
> developers/administrators?
> Or is there another friendly way to get attention for this bug report?
>
>
> Yours sincerely,
>
> Jeroen Verhoeckx
>
>
>
> 
> *Support the independent web, use **Firefox*
> 
>
>
>


[users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?

2022-02-18 Thread Jeroen Verhoeckx
Hello Apache Administrators,

On 6 January I reported a possible bug of Apache on Red Hat's Bugzilla, but no 
one has responded since then.

It's about this bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=2037967

Does someone have an idea about what I could do next?
Does someone know I place where I can contact RHEL Apache 
developers/administrators?
Or is there another friendly way to get attention for this bug report?

Yours sincerely,

Jeroen Verhoeckx


Support the independent web, use 
[Firefox](https://www.mozilla.org/en-US/firefox/new/)